Hardening the BIND DNS Server

Your Domain Name Service is the road sign to your systems on the
Internet. No matter how secure and robust your Web, mail and other
servers are, compromised and corrupted DNS systems can prevent customers
and legitimate users from ever reaching you.

DNS, like many of the older protocols, was developed at a time when the
Internet was a kinder, gentler place and was meant to provide a simple
and unlimited way to provide information about what computers you have
to anyone else. Obviously, the model of the Internet has changed, and
changes to BIND (Berkeley Internet Name Domain software, the most common
implementation of DNS), along with widely accepted configuration
guidelines, have improved our ability to lock down DNS.

Introduction

BIND (the Berkeley Internet Name Domain) 1 is the most frequently used DNS server, maintained by the ISC. It is also known as "named," since this is the name of the actual daemon itself. BIND has a long history, is a core tool for most Internet sites and is currently at V8.

As with many applications exposed to the increasingly hostile Internet environment, security weaknesses have been discovered in BIND.

Why bother? What risks does an insecure BIND pose?

So what, you say? Yet another program with security problems? There are so many problems in so many applications these days, it's just not possible to keep up with all these advisories and patches. Do we really have to worry about DNS too? Well, a compromised DNS server can pose some interesting risks:

An attacker can gain much interesting information if zone tranfers are allowed: the entire list of hosts and routers with IP addresses, names and possible even comments indicating location, names etc.

Emails can't be delivered (some other Internet sites that you frequently exchange data with may have cached DNS entries, but they won't last more than a few days).

An attacker could start up a fake DNS server that pretends to be yours and delivers false DNS information to the Internet about your domain. That is, integrity is lost - see next section.

Loss of integrity: If an attacker can change the DNS data or spoof other sites into believing false data (this is known as DNS poisoning), it gets very dangerous:

Fake Websites can be set up to look like yours and capture user input destined for your site, which may be anything from user/passwords to PINs to account information.

All email can be diverted to a relay which can copy, change or delete email before passing it to your site.

If your firewall or any Internet-accessible host uses DNS hostnames for authentication or trust relationships, these can be completely compromised, especially if a weak packet filter protects the Internet servers and Intranet. Imagine a Web proxy configured to only allow proxy requests from *.mydomain.com. The attacker adds his host to the domain, then the Web proxy may allow requests from him, allowing the attacker HTTP access to the Intranet. Imagine a system administrator who uses SSH (great crypto stuff), but the firewall host has a ".shosts" trust to "admin.mydomain.com," where "admin" is the administrator's workstation. If the attacker can replace the entry for "admin.mydomain.com" in the DNS, he has password-free access to the firewall hosts.

So What Needs To Be Done?

BIND weakness may be addressed with several prevention measures, but detection and reaction shouldn't be forgotten either:

Resource isolation: Use a dedicated, hardened server for Internet DNS, don't share with other services, and especially do not allow user logins. Minimal services/users means reducing the amount of software running and hence the amount exposed to network attacks. Separation prevents other services or users possibly using local weakness in the system to attack BIND.

Redundancy: Install a secondary on a different Internet connection (foreign branch of your company, another ISP, etc.). If your site dies, at least other sites won't think you "cease to exist"; they just think you're "not available," so that emails, for example, won't get lost but will be queued (typically up to four days).

Use the latest version (e.g. 8.2.2-P5 or later, which includes security fixes).

More resource isolation: Run BIND in a "chroot" jail, so it is much more difficult for a compromised bind daemon to damage the operating system or compromise other services.

Detection: Monitor logs for unusual activity; monitor the system for unauthorized changes with an integrity checker; keep an eye on relevant advisories.

The procedure in this paper concentrates only on measures 4), 5) and 6), which should help to protect a server against possible future weakness in BIND. This procedure has been tested on several production systems: a secondary on Solaris 2.5 + 2.8, a primary on Solaris 2.6 + 2.7.

Install and Configure BIND

It is assumed that Solaris is up and running and appropriately hardened and that the BIND delivered with Solaris is disabled. If you have not yet hardened Solaris, check out the YASSP tool first 7. This section runs through:

Compiling BIND on a master host, since you probably don't have (or shouldn't have) a compiler on the hardened DNS server.

Copying and installing BIND on the DNS server.

Setting up DNS data files.

Running BIND.

1. Compiling BIND (on a host with a compiler).

Download the distribution 1, and extract it to a subdirectory and compile. This can be done as any user.

make clean;
make depend && make;

Now change to the root account, install to a temporary directory, and create a tarball:

2. Setting up DNS data files

So what do you put in named.conf? Have a look at the examples provided in the second footnote 2. The file consists of options, logging, ACL, server and Zone sections. Some of the directives are:

The directory tells BIND where to look for data files.

Internal DNS servers without Internet access will need to use forwarders to forward all unknown queries to DNS servers which have Internet access.

The process number of BIND is stored according to the pid-file directive. The "named user" needs read and write access to this file.

BIND's logging is very flexible. The example show logs to the syslog local1.info facility.

Access control lists (ACLs) can and should be used to restrict what servers are allowed zone transfers. It is recommended to use this feature to make it more difficult for attackers to map your network layout. Servers typically allowed in the list are primaries/secondaries for the domain, your ISP and NIC for your country.

After setting up named.conf, the files containing the DNS records have to be set up on primaries (in /var/named in our example); these are automatically downloaded by secondaries.

Chroot'ing BIND

BIND is now up and running, but we want to tighten security further by forcing it to run in a chroot environment (also called a jail or padded cell: Basically, restrict the files visible to BIND to a subdirectory within the file system). See also the second footnote 2 for a discussion of chroot environments.

We will now walk through the steps for setting up the chroot environment, copying over the BIND files, starting BIND and troubleshooting. These steps chroot the entire BIND program, not just using BIND's "-t" feature (see Note 1).

The following steps assume use of the C-Shell. We start by setting a variable for the chroot environment (jail) location, and setting umask so that all files copied can be read by both groups and world. These commands are designed to be copied and pasted.

Next, set permissions on files, so that root owns files and named can read all files and write some files. And, disable any SUID/SGID files. The PID file is put in /var/run and not /usr/local, because we don't want the named user to be able to write to /usr/local/etc (and hence named.conf). The location of the PID file is specified in named.conf.

The chroot environment is set up and BIND is installed, so the current (non-chroot'ed) BIND can be stopped and the new one started.

Set up a tail on the (syslog) logs, to watch BIND activity: tail -f local0log | grep server1 The logs may be in /var/adm/messages or on a remote server, depending on your /etc/syslog.conf configuration. In this example, a centralized server collects logs and we look for messages from server1 (my test server).

Check for errors:  in the syslog log  do nslookups  make sure the secondary can do zone transfers  send a HUP signal to named, to ensure that it reloads configuration correctly.  Check the domains using the IP-Plus tool 4.

If everything still looks good, change the /etc/rc2.d/S72inetsvc (or equivalent startup file) entries for starting BIND to something like this:

Configuration Notes

BIND 8 had its own chroot function, which works by giving named an option "-t" which points to the chroot jail, for example "named -t /home/dns." When BIND starts up, it chroot's to the jail, after processing command line options and before it starts to answer queries. By compiling BIND and installing directly into the jail, all the bind programs will be correctly in place. Since BIND chroot's after reading user/group information, it doesn't need the other /etc and /usr/lib files noted above.

If BIND is set up as described above, it can still be started using this method, for example, /home/dns/usr/local/sbin/named -t /home/dns -u named

This method is simpler than the general chroot method below, but it does have the disadvantage that we rely on the BIND code to be executed before the chroot is bug-free. Also, a general chroot can be used to "jail" other programs too. For the moment, I'll continue using the general chroot method described below, and update this article as problems are found/solved. See also the Known Problems section.

BIND provides some new security features in its latest release. Here we examine one: the use of TSIG (transaction signatures) to authenticate zone transfers.

Zone transfers are usually limited to a list of IP addresses (via the ACL mechanism) which correspond to specific DNS servers for a zone. Since only IP addresses are used, this mechanism is open to IP spoofing. BIND 8.2 and later allow authentication and verification of zone data. A key is configured on primary and secondary name servers and used to sign messages exchanged between the servers. It's important that the server times are synchronized. If the transfer is not authenticated with the correct key, no zone transfer may take place.

Let's look at an example where we use TSIG to restrict the zone transfers between a DNS primary "prim" (IP address 10.1.1.2) and DNS slave secondary "sec1" (IP address 10.1.2.2).

a) Generate an MD5 key, which will be used as a shared secret between the DNS servers. The "dnskeygen" tool is used. The key is written to a file.

e) Restart both named servers (send a HUP signal), then check the (syslog) logs for errors.

Testing if it works:

On the secondary, stop named, delete one of the zone files and restart. Watch the logs. A message indicating a successful zone transfer should appear and the corresponding zone file be created.

To make sure the TSIG key is really being used, change the key on the primary (e.g. add the letters "TEST" as the first few letters), stop both name servers, delete the zone file on the secondary, and restart both. The zone transfer will not take place, an error message like "named-xfer[16280]: [ID 745729 daemon.notice] SOA TSIG verification from server [10.1.1.2], zone mytestdomain.com: BADKEY (-17)" appears in the log, and the zone file is not recreated. Changing back the key on the primary and restarting BIND on primary and secondary fixes our deliberate fault.

So it's really not so difficult to significantly increase the security of your zone transfers. It is important that the file permissions on named.conf be restrictive so that it cannot be read by everyone on a system. The secret string used in the key must remain secret.

For server to server communications, the source server can be configured to use source port 53 (rather than a dynamic high port), with the option:

query-source * port 53;

Typical firewall rules would be: allow udp 53 in from outside to dns server [queries to your server] allow udp 53 in from dns server to outside [queries from your server] allow tcp 53 in from secondaries or ISP server to dns server [zone transfers from your server] allow tcp 53 out from dns server to outside [zone transfers from primaries, for which you are a secondary] Note: queries normally use udp, but apparently also use tcp under load, so restrict queries to udp may cause headaches in some situations.

If you want to enable dynamic updates, despite the additional risk, use TSIG for better authentication of hosts allowed to make updates. Always restrict updates via an ACL.

BIND can be configure to only allow resolver queries for explicit hosts or networks via the option: allow-query { 193.a.b.c/24; }; An interesting way of using this is to restrict access globally (in 'options') to your own networks and then allow 'all' access in specific zones or subzones, that you wish to be published to the Internet.

Internet servers or 'delegate' servers should be configured to only allow "recursive queries" from valid DNS servers/clients in your company, but not the Internet. Recursive queries allow the DNS client to ask the DNS server for information on IP addresses for which it is not authoritive. The server will do it's best to get the needed infotmation and will cache it, but we don't want that, we only want to serve information to others that we know is 100% correct, i.e. that the server is authoritive for. Stopping or restricting recursion can improve performance and help prevent a form of attack known as DNS cache poisoning. The appropriate option is:

allow-recursion { 193.a.b.c/24; };

To stop recursion completely (e.g. on a deligate server), set the option:

recursion no;

In the same vein, bind can be prevented from automatically resolving name server names in NS or RDATA records by setting the option:

Linux users may also be interested in Stackguard (a compiler for improved resistance to 'stack smashing' attacks) or Immunix OS (RH Linux rebuilt with Stackguard) See Immunix.org. Note that Stackguard v1.2 had security flaws - use v1.21 or later.

Acknowledgments

Useful tips were also provided by FOCUS-SUN@SECURITYFOCUS.COM members, including C.M. Wong, Eric Jon Rostetter, J. S. Townsley, Wyman Eric Miles, and Colin Stefani. Fabrice Bacchella pointed out how to use BIND's inbuilt chroot function. See also the archive of focus-sun messages. Thanks also to Stephane Grundschober and Kurt Seifried.

About the Author

Sean Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook. He has over 4 years experience managing DNS servers.

SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.http://www.SecurityPortal.comThe Focal Point for Security on the Net (tm)